Transcription

1 White Paper Cisco Medical-Grade Network: Build a Secure Network for HIPAA Compliance What You Will Learn The Cisco Medical-Grade Network (MGN) 1 provides a network foundation that enables reliable, transparent, and secure health data communications among the healthcare community while providing the framework to meet your specific Health Insurance Portability and Accountability Act (HIPAA) compliance requirements. This framework allows integration and interoperability at each functional area to optimize interactions among healthcare participants, processes, applications, and hardware components. Cisco s implementation of MGN includes connecting a main ambulatory health center on a corporate campus to satellite clinics at geographically dispersed campus locations and remote clinician sites. LifeConnections Health Center Cisco is a world leader in providing employee benefits that foster a work-life balance promoting health and wellbeing as a priority. This philosophy came to life with the onsite LifeConnections Health Center (LCHC) in San Jose, California, Research Triangle Park (RTP), North Carolina, and Bangalore, India. The health center gives Cisco employees and their families onsite access to a full range of medical care services from primary care that includes physical examinations, immunizations, travel medicine, lab work, health coaching, ancillary services, and an onsite pharmacy. Unique to Cisco in the onsite healthcare model is Cisco s technologies powered by a secure Medical-Grade Network that enables: Communication needs for clinicians, patients, administrators, and partners Patient privacy and data security compliant with healthcare regulatory requirements The health center s unique information, technology, bandwidth, and integration capabilities Anytime, anywhere information capture and access for wired and wireless applications and devices Converged data, voice, and video networks to enhance patient care and collaboration Identity- and policy-based security from inside the network to beyond organizational walls Ability for Cisco employees to stay connected while they are waiting for their appointments As shown in Figure 1, Cisco MGN is the foundation for bringing together a rich patient experience integrating Cisco and partners technologies. Partner technologies and solutions include the following: Data center connectivity Electronic medical records Patient self-service kiosk for check-in, check-out, co-pay, and esignatures 1 Cisco Medical Grade Network (MGN) is a set of Cisco recommended guidelines for building an optimal healthcare network Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 7

3 and reducing the total cost of ownership (TCO). Data traffic that contains electronic protected health information (ephi) data is isolated from the corporate infrastructure. Voice services, Cisco TelePresence systems, and physical wireless network infrastructure are shared between the LCHC network and Cisco corporate network. Logical IP connectivity between the LCHC and Cisco corporate data networks is not nor will be enabled. Network Design Wired Network The LCHC voice and Cisco TelePresence systems use the Cisco internal network, with strict security imposed on the physical voice ports and their configuration. The LCHC data network connects to the Internet via Cisco s corporate DMZ and communication that has medical information goes through encrypted tunnels or SSL connections. Data traffic between the LCHC and the medical service provider (MSP) is sent through dedicated circuits. Thus, the flow of specific data complies with HIPAA requirements. Key Cisco resource sites required for MSP s operational purposes such as access to Cisco s corporate directory for employee eligibility verification and other Cisco intranet sites for internal safety and security protocols and issue case management can be accessed through the DMZ over an IP Security (IPsec) tunnel to the corporate network. Device monitoring by Cisco s centralized network management system can be performed through the DMZ as well. The San Jose based LCHC provides connections to satellite sites in Stanford Hospital and Clinics and RTP campus in a hub and spoke model. The LCHC network offers a high service-level agreement (SLA); thus the design requires redundant devices in the network topology. For redundancy, there is a dedicated pair of every networking component in the hierarchy. As shown in Figure 2, the equipment includes Cisco 3845 Integrated Services Router (ISR) DMZ gateways, Cisco 3750 ISR DMZ switches, Cisco Adaptive Security Appliances (ASAs) configured as active and standby, respectively, Cisco Catalyst 6000 distribution switches, and a Cisco 3845 headend gateway. The ASAs are configured as the firewall and Network Address Translation (NAT) device; they provide routing for the LCHC network. Data traffic from a host on a LCHC LAN subnet traverses the distribution switches into the ASA, where it undergoes inspection by the firewall feature of the ASA and then, if permitted, either is passed onto another LAN segment or follows the default route to the medical service provider through its ASA. Return traffic from the other LAN subnet or the service provider follows the reverse route into the LCHC ASA. The ASA inspects the packet and, if permitted, forward it back to the host. The Cisco 3845 LCHC DMZ gateway provides the uplink to DMZ access gateways for access into the DMZ. The same internal Enhanced IGRP (EIGRP) Autonomous System (AS) runs on the Cisco 3845 for reachability to the DMZ and the internal network. Downlinks from the DMZ gateways and the outside interface from the ASAs are connected through Cisco 3750 Layer 2 switches, connected in a stackable configuration in order to establish a Hot Standby Router Protocol (HSRP) relationship for redundancy. The ASA outside interfaces and the DMZ gateway downlink interfaces are in an Internet routable IP subnet. This subnet should be large enough to accommodate static NAT addresses of the LCHC network devices for management traffic and connectivity to satellite clinics. The distribution switches connect to the ASA inside interfaces through trunks, where all LCHC VLANs are trunked. The ASA has a physical connection to the MSP ASA for all traffic destined to the MSP and Internet traffic. The LCHC internal networks are configured as subinterfaces on the inside interface on the ASA, and static routing is used to direct traffic, with default route to the MSP or DMZ, depending on requirement. Cisco uses 3rd party tool Splunk for LCHC network compliance auditing and real time alerting of anomalies. The audit includes network traffic, user access, change management activities, and system errors Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 7

4 Extension of Network and Connectivity of Services to Other Campus and Clinician Locations An extension to LCHC, the LifeConnections clinic at RTP uses Cisco HealthPresence technology to provide careat-a-distance with physicians located in San Jose providing care to employees at the RTP campus. Although the ASA can be used to terminate VPN tunnels from the remote spoke routers, Cisco suggests using a separate headend router from a scalability, performance, and flexibility point of view. The Cisco HealthPresence design is built on the Dynamic Multipoint VPN (DMVPN) technology where the headend (hub) router is used to terminate IPsec tunnels from the remote Cisco HealthPresence router. The headend router is physically connected to the LCHC Layer 2 switch, and logically connected to the ASA through the existing trunk on the switch and subinterfaces on the ASA. The headend router is connected to the LCHC inside network on two interfaces: Gig0/0 for encrypted traffic to and from the Cisco HealthPresence router and Gig0/1 for decrypted traffic for routing within the LCHC network. Correspondingly, two additional subinterfaces are created on the ASA (Gig 0/1.xx for encrypted traffic and 0/1.yy for decrypted traffic) for the headend router connectivity. The Cisco HealthPresence design implemented at the LifeConnections clinic at RTP is replicated to extend care for specialty care services in partnership with Stanford Hospital and Clinics. Figure 2. LCHC and Cisco HealthPresence Network 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 7

5 Wireless Network Wireless infrastructure plays a crucial role in providing true mobility throughout the facility for LCHC clinicians. The wireless infrastructure that is deployed by Cisco IT is highly reliable, easy to manage, and resilient for voice and other patient care applications. The LCHC wireless network consists of a pair of Cisco 5500 Series Wireless LAN Controllers along with more than 46 Cisco Aironet 3500 Series Access Points installed throughout the facility. The Cisco Unified Wireless Network Architecture offers redundancy at several levels. At the RF level, the system self-heals when one or more access points becomes inactive. The architecture also supports port redundancy per controller and controller device redundancy. The LCHC wireless network supports both wireless voice and data access anywhere in the facility. The IEEE a,b,g,n Cisco Aironet 3500 Series Access Points can be centrally managed with Cisco 5500 Series Wireless LAN Controllers in high-availability architecture along with the Cisco Wireless Control System (WCS) management software. The Cisco WCS provides centralized network management, security monitoring, and localization of rogue devices, and it automatically associates each new access point with the controller, eliminating manual configuration and saving many hours in maintenance time. The LCHC wireless network contains not only LCHC local Service Set Identifiers (SSIDs) but also Cisco corporate wireless SSIDs. The broadcast of LCHC SSIDs is limited to the relevant groups for access. The Cisco Corporate wireless infrastructure is logically extended to LCHC premises through trunk links. In addition to centralized management and rapid deployment of all of the access points, the Cisco Unified Wireless Network offers segmentation of user groups. This feature enables LCHC IT staff to configure separate virtual LANs for voice and data, helping to ensure both data security and quality of service (QoS) for voice traffic. Voice receives top priority to support the ability to roam seamlessly from access point to access point without dropping a call. QoS and the reliability of the network are further enhanced through support for Wi-Fi Multimedia (WMM), which prioritizes delay-sensitive traffic to provide uninterrupted service and voice optimization. LCHC technology stack also includes the Cisco Context-Aware Mobility Solution for automated regulatory compliance and risk management, where the wireless network is used to locate people, objects, and measure temperature using Radio Frequency identification (RFID) tags. Integrated with the AeroScout MobileView server, the solution provides LCHC IT staff the ability to monitor refrigerator temperature, room temperature, and track LCHC-managed mobile assets Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 7

7 The LCHC uses the following Cisco Unified Wireless Network applications: Cisco 5500 Series Wireless LAN Controllers Cisco Aironet 3500 Access Points with CleanAir technology Cisco 3310 Mobility Service Engine Cisco Wireless Control System The LCHC uses the following products provided by Cisco technology partners: AeroScout RFID tags AeroScout MobileView Server Personal digital assistants (PDAs) Laptops Conclusion In keeping with our Cisco on Cisco vision and technology evolution, the MGN will follow technology and product upgrades. This scalable and regulatory-compliant connected architecture has been used and replicated for the new LifeConnections Health Center at Bangalore and three satellite clinics, resulting in a 50-percent productivity and implementation cost savings. For More Information For more information about Cisco MGN, please visit: Printed in USA EDCS C / Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 7

Disaster Recovery Design Ehab Ashary University of Colorado at Colorado Springs As a head of the campus network department in the Deanship of Information Technology at King Abdulaziz University for more

Ethernet Wide Area Networking, Routers or Switches and Making the Right Choice The Road To Ethernet WAN Various industry sources show trends in globalization and distribution, of employees moving towards

Network Management for Common Topologies How best to use LiveAction for managing WAN and campus networks April 2014 www.liveaction.com Contents 1. Introduction... 1 2. WAN Networks... 2 3. Using LiveAction

Extending Collaboration to BYOD Devices Extending Collaboration to BYOD Devices Device Freedom without Compromising the IT Network Today s employees are increasingly on the move, using mobile devices throughout

CISCO SMB CLASS MOBILITY AND WIRELESS SOLUTIONS: THE RESPONSIVE WORKFORCE BLUEPRINT Cisco Small and Medium Business Class Solutions Cisco offers small and medium-sized business customers a suite of intelligent

Data Sheet Cisco Wireless Control System (WCS) PRODUCT OVERVIEW Cisco Wireless Control System (WCS) Cisco Wireless Control System (WCS) is the industry s leading platform for wireless LAN planning, configuration,

. White Paper Network Services Virtualization What Is Network Virtualization? Business and IT leaders require a more responsive IT infrastructure that can help accelerate business initiatives and remove

SSVP SIP School VoIP Professional Certification Exam Objectives The SSVP exam is designed to test your skills and knowledge on the basics of Networking and Voice over IP. Everything that you need to cover

White Paper Cisco Unified Access Technology Overview: Converged Access Introduction Today, less than 1 percent of things in the physical world are network connected. In the near future the growth of the

Network Virtualization Network Admission Control Deployment Guide This document provides guidance for enterprises that want to deploy the Cisco Network Admission Control (NAC) Appliance for their campus

VPN Only Connection Information and Sign up Revision 4/16/2013 CU*Answers supports a variety of VPN network configurations for credit unions that desire to use VPN for primary connectivity. These options

Best Practices for Outdoor Wireless Security This paper describes security best practices for deploying an outdoor wireless LAN. This is standard body copy, style used is Body. Customers are encouraged

Synopsis Industry adoption of EtherNet/IP TM for control and information resulted in the wide deployment of standard Ethernet in manufacturing. This deployment acts as the technology enabler for the convergence

Deploying the ShoreTel IP Telephony Solution with a Meru Networks Wireless LAN Copyright 2005, Meru Networks, Inc. This document is an unpublished work protected by the United States copyright laws and

APPENDIX 3 LOT 3: WIRELESS NETWORK A. TECHNICAL SPECIFICATIONS MAIN PURPOSE The Wi-Fi system should be capable of providing Internet access directly to a user using a smart phone, tablet PC, ipad or Laptop

Design and Implementation Guide Apple iphone Compatibility Introduction Security in wireless LANs has long been a concern for network administrators. While securing laptop devices is well understood, new

CCNA Routing and Switching Scope and Sequence (DRAFT) Last updated 14 June 2013 This DRAFT Scope and Sequence for the Cisco CCNA Routing and Switching curriculum is an evolving document that will be revised

CCNA Routing and Switching Scope and Sequence (DRAFT) Last updated 4 June 2013 This DRAFT Scope and Sequence for the Cisco CCNA Routing and Switching curriculum is an evolving document that will be revised

CISCO WIRELESS CONTROL SYSTEM (WCS) Figure 1. Cisco Wireless Control System (WCS) PRODUCT OVERVIEW Cisco Wireless Control System (WCS) Cisco Wireless Control System (WCS) is the industry s leading platform

Overview of Routing between Virtual LANs This chapter provides an overview of virtual LANs (VLANs). It describes the encapsulation protocols used for routing between VLANs and provides some basic information

This chapter describes the different networking topologies supported for this product, including the advantages and disadvantages of each. Select the one that best meets your needs and your network deployment.

White Paper PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data Using credit cards to pay for goods and services is a common practice. Credit cards enable easy and

CHAPTER 1 Hierarchical Network Design Objectives Upon completion of this chapter What are the structured engineering principles of network design? How do you apply the three hierarchical network layers

Deploying Firewalls Throughout Your Organization Avoiding break-ins requires firewall filtering at multiple external and internal network perimeters. Firewalls have long provided the first line of defense

Data Networking and Architecture The course focuses on theoretical principles and practical implementation of selected Data Networking protocols and standards. Physical network architecture is described

Making the Case for Satellite: Ensuring Business Continuity and Beyond July 2008 Ensuring Business Continuity and Beyond Ensuring business continuity is a major concern of any company in today s technology

SSVVP SIP School VVoIP Professional Certification Exam Objectives The SSVVP exam is designed to test your skills and knowledge on the basics of Networking, Voice over IP and Video over IP. Everything that

Switching in an Enterprise Network Introducing Routing and Switching in the Enterprise Chapter 3 Version 4.0 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 1 Objectives Compare the types of

Virtual Private LAN Service (VPLS) A WAN that thinks it s a LAN. VPLS is a high security, low latency means to connect sites or services either point-to-point or as a mesh. We use Virtual Private LAN Service

White Paper Local Session Controller: Cisco s Solution for the U.S. Department of Defense Network of the Future What You Will Learn The future of the Department of Defense s (DoD) networks focuses on the

A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

5 CHAPTER This chapter describes how to set the firewall mode to routed or transparent, as well as how the firewall works in each firewall mode. This chapter also includes information about customizing

Solution Overview Managed 4G LTE WAN: Provide Cost-Effective Wireless Broadband Service What You Will Learn With the arrival of the fourth-generation (4G) or Long Term Evolution (LTE) cellular wireless

Networking Topology For Your System End user experience with Cisco WebEx Meetings Server is of a web site, that users access to schedule and join meetings. A special aspect of this web site is real-time

Certification guide HP ATA Networks certification Introduction In today s business environment, the lack of skills to execute IT technologies and cloud solutions is a roadblock for many companies trying

Deploying a Secure Wireless VoIP Solution in Healthcare Situation Healthcare is a natural environment for wireless LAN solutions. With a large mobile population of doctors, nurses, physician s assistants

What You Will Learn Public sector organizations without the budget to build a private cloud can consider public cloud services. The drawback until now has been tenants limited ability to implement their

Networking 4 Voice and Video over IP (VVoIP) Course Objectives This course will give delegates a good understanding of LANs, WANs and VVoIP (Voice and Video over IP). It is aimed at those who want to move

Cisco RV 120W Wireless-N VPN Firewall Take Basic Connectivity to a New Level The Cisco RV 120W Wireless-N VPN Firewall combines highly secure connectivity to the Internet as well as from other locations